Although our core offering is to be an independent advisor to CIOs and CISOs for security purchases, clients sometimes ask us how to strengthen their security organization (and if we can even recommend candidates).
While the scarcity of talent in security organizations is well known, the problem is exacerbated for medium sized businesses without strong employer brands and that cannot pay “Big Tech” salaries.
Sometimes their headquarters are also located in rural areas that may be unattractive for people. Some clients even consider a “CISO as a service” as a temporary workaround because they simply don’t find any suitable candidates. But this also comes with challenges, e.g., selection of the right provider and internal management which is still necessary.
An option that is often overlooked is to hire engineers (or offer career progression for good performers in other parts of the business) and train them in IT-/OT-/IoT-Security.
Yes, there could be significant training time involved. On the other hand, this time is often used anyway – to no avail – trying to recruit candidates that already have job experience in information security. Training contracts can also be a good way to invest in and retain key talent. Apprentice contracts are now also more common in the UK, e.g., https://www.ukcybersecuritycouncil.org.uk/careers-learning/apprenticeship-schemes-and-opportunities/ .
Obviously engineers working in software development are similarly elusive and expensive.
But what about adjacent fields like product engineering, quality management, work safety, or even fresh graduates? And what about people returning to work after absence or leaving the armed forces – sometimes there may even be grants to support the training costs.
All engineers – no matter whether mechanical, electrical, industrial or a similar major – are trained in following aspects:
- Risk analysis
- Software coding
- Automation technologies
- Control technologies
- Structured project management
- Continuous improvement processes
Engineers build rockets, airplanes, robots and other amazing stuff. They are used to thinking about what can go wrong and how to reduce the consequences of failures – something which is often missing in discussions about adding security controls. Students choose engineering as their major because they love technology, and most of them have plenty of experience with computers from a young age on (not just for playing games). They usually do not know how to operate IT infrastructure of thousands of clients and servers, and they don’t have a CISSP certification. But in our experience many engineers are fast learners that can contribute meaningfully to IT security teams within a reasonable time frame after onboarding.
Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us (mail us) or use our to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.